NSURLConnection with client certificate and NTLM

Question

I'm trying to access a server that is protected with NTLM authentication and requiring a client certificate. I'm authenticating using delegate methods of NSURLConnection, and retrieving results with UIWebview.

I've managed to develop code for NTLM authentication and authentication when server requires a client certificate:

- (void) connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge {    

    authMethod = challenge.protectionSpace.authenticationMethod;

    if ( [challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodServerTrust] )
    {
        [challenge.sender useCredential:[NSURLCredential credentialForTrust: challenge.protectionSpace.serverTrust] forAuthenticationChallenge: challenge];
        return;
    }

    if ( [challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodClientCertificate] )
    {
        [... code to extract certificate ...]  
        NSURLCredential *credential = [NSURLCredential credentialWithIdentity:myIdentity certificates:(NSArray*)certsArray persistence:NSURLCredentialPersistencePermanent];
        [challenge.sender useCredential:credential forAuthenticationChallenge:challenge];
        return;
    }

    if ([challenge.protectionSpace.authenticationMethod isEqualToString:NSURLAuthenticationMethodNTLM])
    {
        NSURLCredential *credential;
        credential = [NSURLCredential
                      credentialWithUser:@"user"
                      password:@"password"
                      persistence:NSURLCredentialPersistencePermanent];
        [challenge.sender useCredential:credential forAuthenticationChallenge:challenge];
        return;
    }
    [[challenge sender] performDefaultHandlingForAuthenticationChallenge:challenge];
}

Everything works fine when server requires NTLM auth or client certificate separately. When required together, both certificate informations and NTLM credentials are received server-side, but IIS7 returns a 403 page asking for the client certificate...

Something you may need to know is that willSendRequestForAuthenticationChallenge is called four times in this order:

willSendRequestForAuthenticationChallenge: NSURLAuthenticationMethodServerTrust
willSendRequestForAuthenticationChallenge: NSURLAuthenticationMethodClientCertificate
willSendRequestForAuthenticationChallenge: NSURLAuthenticationMethodNTLM
willSendRequestForAuthenticationChallenge: NSURLAuthenticationMethodClientCertificate

If you have any ideas ?

Thanks in advance,

Answer 1

that worked in iOS 7 and doesn't in iOS 8. Are you using iOS 8? Test with iOS 7 (e.g. on simulator) to confirm it is only iOS 8 issue. It has something to do with "stream is sending an event before being opened" error that you might see in log window. Also waiting until it is fixed in iOS, but I still see it in latest 8.2 beta 3.